So about 3 months ago I "inherited" a Lotus Domino setup, and quite frankly, it's a mess. Historically, it's had 10 years of the primary focus being on development rather than on management and housekeeping (none of the latter was actually done, I had guys who'd left the place 11 years back still in admin groups), with a predictable end result.

Now, I know how to clean up a mess, but while I'm doing that I'm also keeping one eye on the future, and something that I'm interested in investigating is the possibility of Active Directory integration. It doesn't make sense to me - in 2009 - to have yet another bunch of systems that require yet another username and password, inviting people down the route of yellow-sticky-note-syndrome (not to mention doubling our user/password management overhead).

With clients being a mixture of browser-based and trad-client-based, I'm wondering how practical this is. Has anyone done it, and how well does it work? Do we get completely transparent authentication without requiring to even re-enter network credentials, do we still have to fool around with ID files (gack), can we add AD users to Domino groups, that kinda stuff.

The server is 8.0.2 (on 2003 Server), clients mostly 8.0.1 and IE6, database applications but not Notes Mail are used. What little info I've seen on IBM is incredibly vague on the whole topic.

3 Answers
3

I personally don't have experience in with the Domino / AD integration, but I've long thought about it and hope to try implementing it this year. The things I do know is that IBM has a service built to synchronize Domino and AD user/group info in both directions, and that there is a company called PistolStar that appears to specialize in this area.

I would definitely start with the IBM integration service first and see where that gets you. In fact, I'm going to check it out today too.

I've read about the PistolStar stuff, and it seems to promise great things. I don't really like the look of the IBM solution - way too much jiggery-pokery required, it's still hung up on ID files, and it means not being able to segregate Domino admin from AD admin. But I'm going to award this "accepted" anyway, as it seems a good indication of the current state of play.
–
Darth MelkorJun 23 '09 at 14:03

After reviewing the IBM solution, I agree it's less than ideal. I have found no other solutions, unfortunately, other than 3rd-party SSO options like what PistolStar offers. I believe Notes 8.5 has made some steps toward better AD integration, but I've only read that in marketing materials and haven't dug deep into how it works.
–
Ken PespisaJun 24 '09 at 21:08

11 Years.... Although I don't know about your SSO goals, I would have to deffiently say that it's time for a fresh install on a new/virtual server and to move everything over then create the users you need (or if you find out about SSO, setting that up).